fltrusted computingfl vertrauen für die grossen brüder? · flthe right way to look at this is...
TRANSCRIPT
”Trusted Computing”Vertrauen für die grossen Brüder?
Ruediger Weis
cryptolabs Amsterdam
Datenspuren, Dresden, R. Weis c©2004 – p.1/50
Overview
TCG and Microsoft
TCG 1.2Backdoors and Hardware SecurityRemoving Endorsement KeyDirect Anonymous Attestation
New Idea: Owner Override
Datenspuren, Dresden, R. Weis c©2004 – p.2/50
Planed Hardware Changes
Memory curtaining
Secure input and output
Sealed storage
Remote attestation
Datenspuren, Dresden, R. Weis c©2004 – p.3/50
CCC Fahndungsplakat 0.2
Datenspuren, Dresden, R. Weis c©2004 – p.4/50
’One chip to rule them all’
Richard Stallman:
”Treacherous computing isa major threat to our freedom”.
CHIP:CeBIT-Highlights 2003: Die besten Produkte
”Bremse des Jahres”: IT-Allianz TCPA
Datenspuren, Dresden, R. Weis c©2004 – p.5/50
’The right way to look at this’
”The right way to look at this is you are puttinga virtual set-top box inside your PC. You areessentially renting out part of your PC to peopleyou may not trust.”
Ron Rivest, ACM Turing Award Winner 2002.(≈ Nobel Price for Computer Science)
Datenspuren, Dresden, R. Weis c©2004 – p.6/50
Whitfield Diffie
RSA Conference, San Francisco, April 2003.
Whitfield Diffie, Inventor Public-Key Cryptography.
”(The Microsoft approach) lends itself to marketdomination, lock out, and not really owning your owncomputer. That’s going to create a fight that dwarfs thedebates of the 1990’s.”
”To risk sloganeering,I say you need to hold the keysto your own computer”
Datenspuren, Dresden, R. Weis c©2004 – p.7/50
Ron Rivest
Prof. Ron Rivest (MIT), Developer of the RSA Algorithm andthe MD4-hash function family.
”We should be watching this to make sure there are theproper levels of support we really do want”.
”We need to understand the full implications of thisarchitecture. This stuff may slip quietly on to people’sdesktops, but I suspect it will be more a case of a lot ofdebate.”
Datenspuren, Dresden, R. Weis c©2004 – p.8/50
TCG and Microsoft
Microsoft will use TCG1.2 for Longhorn.
Microsoft controls ca. 90% of the OperationSystems market.
TCG and Palladium SHOULD NOT bediscussed separately.
TCG brings also problems to Open SourceSoftware like GNU/Linux.
Datenspuren, Dresden, R. Weis c©2004 – p.9/50
Windows Media Player EULA
"Microsoft may provide security related updates tothe OS Components that will be automaticallydownloaded onto your computer. These securityrelated updates may disable your ability to copyand/or play Secure Content and use other softwareon your computer."
Datenspuren, Dresden, R. Weis c©2004 – p.10/50
Enforcement
”Microsoft Lizenzen lächerlich”?
Enforcement byTPM ChipDMCA
Forced ’updates’
Datenspuren, Dresden, R. Weis c©2004 – p.11/50
Forced ’Updates’
heise online News, 12.09.2003,Xbox Live schließt ’’Sicherheitslucke’’
heise online News, 19.08.2003,Microsoft will automatische
Updatefunktion fur nachstes Windows
heise online News, 03.09.2003,Bill Gates setzt auf automatische Updates
Datenspuren, Dresden, R. Weis c©2004 – p.12/50
New in TCG 1.2
+ DAA
+ FIPS 140-2
(+) Removable Endorsement Key
+ AES192, AES256, Triple-DES
- SHA1
- Openness
Datenspuren, Dresden, R. Weis c©2004 – p.13/50
Black Box Crypto
Hidden Channels are so easy - also ”provable” secure:
Ruediger Weis, cryptolabs AmsterdamStefan Lucks, Universität Mannheim
”All Your Keybit are belong to us -
The Truth about Blackbox Cryptography”,
SANE 2002, Maastricht 2002.
Datenspuren, Dresden, R. Weis c©2004 – p.14/50
Hauptergebnisse
Es ist möglich geheime Informationen auseinem ”beweisbar sicherem”Blackbox-System ”beweisbar sicher”herrauszuschmuggeln.
Selbst eine Hardwareanalyse kann nichtaufdecken, welche Informationendurchgesickert wurden.
Datenspuren, Dresden, R. Weis c©2004 – p.15/50
Sophisticated Bit Smuggeling
Beispiel: Nutze den IV von Block Cipher Modis.Seien Epub der Public Key der Designerin Doraund K ′ ein zusätzlicher Secret Key festverdrahtetim Device.Wir generieren den IV folgendermassen:
Sei Y = Epub(K)
wähle (n− 1) random bits
(r1, . . . , rn−1) ∈ {0, 1}n−1
Datenspuren, Dresden, R. Weis c©2004 – p.16/50
Sophisticated Bit Smuggeling II
abhängig von (r1, . . . , rn−1) und K ′, erzeugepseudozufällig (z1, . . . , zm) ∈ {0, 1}m(z.B. Streamcipher((r1, . . . , rn−1, 0)⊕K ′))berechne
p =⊕
1≤i≤mziyi
und nutzte
(r1, . . . , rn−1, p) ∈ {0, 1}n als IV.
Datenspuren, Dresden, R. Weis c©2004 – p.17/50
Verdeckter Kanal
Mit der Kenntnis von K ′ kann Dora(z1, . . . , zm) aus (r1, . . . , rn−1) berechnen.
Sie sammelt m linear unabhängige Vektoren,diese erlauben dann
(y1, . . . , ym) = Y = Epub(K)
durch die Lösung eines LinearenGleichungssytems zu berechnen.
Mit Y kann sie K bestimmen.
Datenspuren, Dresden, R. Weis c©2004 – p.18/50
Angenehmes Abhören
Bemerkenswert ist, dass nur
eine kleine Anzahl
von zeitlich nicht notwendigerweisezusammenhängenden Ciphertexten
passiv abgehört
werden muss.
Datenspuren, Dresden, R. Weis c©2004 – p.19/50
Official TCG Statement
Answer of the TCG resp. CCC questions (Juni 2003)
”Es ist natürlich nicht völlig auszuschliessen,dass ein Chip-Hersteller ein TPMs mitFunktionen baut, die von der Spezifikationabweichen und einen Zugriff auf gespeicherteSchlüssel erlauben.”
International and Independent Control needed.Processor Integration...
Datenspuren, Dresden, R. Weis c©2004 – p.20/50
External Key Generation
The keys are often generated outside the chipto save money.
Producer has easy access to the privatekey of the user device.
International and Independent Control needed.
Datenspuren, Dresden, R. Weis c©2004 – p.21/50
NSA and Backdoors
heise online News, 09.08.2003,NSA will gegen Hintertüren vorgehen
”In seiner Aussage wies Wolf ebenfalls daraufhin, dass ”untrustworthy hardware” (nichtvertrauenswurdige Hardware) ein Problemahnlicher Tragweite werden kann.”
Datenspuren, Dresden, R. Weis c©2004 – p.22/50
Microsoft and Backdoors
Q: Won’t the FBI, CIA, NSA, etc. want a back door?
A: Microsoft will never voluntarily place a back door in any of its products and
would fiercely resist any government attempt to require back doors in products.
From a security perspective, such back doors are an unacceptable security risk
because they would permit unscrupulous individuals to compromise the
confidentiality, integrity, and availability of our customers’ data and systems. [...]
... ”never voluntarily” ...
Datenspuren, Dresden, R. Weis c©2004 – p.23/50
MS: Lawful Interception
Q: How could a law enforcement agency accessdata protected by the NGSCB architecture?
A: Just as with other commercial-gradecryptographic hardware, law enforcementagencies could conceivably "break" the SSCin the hardware of a seized machine to obtainmachine secrets.
Datenspuren, Dresden, R. Weis c©2004 – p.24/50
Intel and Backdoors
July 2003: Hearing Ministry of Economy:1 min of silence
Streams:Bundesministerium für Wirtschaft und Arbeit
Symposium:"Trusted Computing Group (TCG)"am 2. und 3. Juli 2003 (Berlin),http://www.webpk.de/bmwa/willkommen.php
Datenspuren, Dresden, R. Weis c©2004 – p.25/50
Intel has learned
Processor-ID failed.
Oct 2003: IDF:Own Endorsement KeyFIPS certificationZero-KnowledgeNo Backdoors (’naive’)
. . . but still there are a lot of problems.
Datenspuren, Dresden, R. Weis c©2004 – p.26/50
TCG 1.2
Nov 2003: RSA Amsterdam: TCG 1.2
FIPS140-2Who does the evaluation?
Removable Endorsement KeyFine for big companies and 3 letterorganizations.
Direct Anonymous AttestationGood idea!
Datenspuren, Dresden, R. Weis c©2004 – p.27/50
MUST 2048 bit or greater
TCG1.2 (Part 1, P.12 f.)
”All Storage keys MUST be of strengthequivalent to a 2048 bit RSA key or greater.”
”The minimum RECOMMENDED key size is2048 bits.”
Why support for 512, 768 and 1024?Why SHA-1 with only 160 bit output?
Datenspuren, Dresden, R. Weis c©2004 – p.28/50
Real-World Key-Management
2001: Microsoft server certificate expired(MSN, Passport,...).
Microsoft seems to be still looking for a ”lost”certificate from 2001.
nsa key
Datenspuren, Dresden, R. Weis c©2004 – p.29/50
TCPA Certificate expired
Datenspuren, Dresden, R. Weis c©2004 – p.30/50
’Niemals kompatibel’
Peter N. Biddle, Microsoft Product Unit Manager Palladium, Comdex 2002
” Grundsätzlich könnte die gesamte Palladium-Architekturauch nach Linux portiert werden, wenn die Lizenzvorbehalteim Stil der GPL nicht wären. Jeder Code für ein TPM wirdvon der TCPA signiert und verschlüsselt. Wird irgendetwasweitergeben, verändert und neu kompiliert, so ist eine neueTCPA-Lizenz erforderlich. So gesehen wird das TrustworthyComputing niemals mit einer Open-Source-Lizenzkompatibel sein.”
Datenspuren, Dresden, R. Weis c©2004 – p.31/50
Microsoft: Open Source OS
Q: Could Linux, FreeBSD, or another open sourceOS create a similar trust architecture?
A: From a technology perspective, it will be possible todevelop a nexus that interoperates with other operatingsystems on the hardware of a nexus-aware PC. Much of thenext-generation secure computing base architecture designis covered by patents, and there will be intellectual propertyissues to be resolved. It is too early to speculate on howthose issues might be addressed.
Datenspuren, Dresden, R. Weis c©2004 – p.32/50
Demands
Chaos Computer Club
TCPA - Whom do we have to trust today?http://www.ccc.de/digital-rights/forderungen
u.a. volle Schlüssel-Kontrolle
Datenspuren, Dresden, R. Weis c©2004 – p.33/50
A New Idea from the EFF
Egg of Columbus?!
Datenspuren, Dresden, R. Weis c©2004 – p.34/50
EFF: Promise and Risk
Seth SchoenTrusted Computing: Promise and RiskComments LT policy
http://www.eff.org/Infra/trusted computing/
Datenspuren, Dresden, R. Weis c©2004 – p.35/50
Problem Remote Attestation
Third parties can enforce policiesagainst computer owner – for example:
Digital Restrictions Management (DRM)
application lock-in
migration and back-up restrictions
forced upgrades and downgrades
application-specific spyware
preventing reverse engineering
Datenspuren, Dresden, R. Weis c©2004 – p.36/50
Software Lock-In
Datenspuren, Dresden, R. Weis c©2004 – p.37/50
Spyware
Datenspuren, Dresden, R. Weis c©2004 – p.38/50
Speaking to Big Brothers
” Third-party uncertainty about your softwareenvironment is normally a feature, not a bug. ”
Samba . . .
Datenspuren, Dresden, R. Weis c©2004 – p.39/50
Real World Example
Datenspuren, Dresden, R. Weis c©2004 – p.40/50
Owner Override
”Owner Override works by empowering a com-puter owner, when physically present at the com-puter in question, deliberately to choose to gener-ate an attestation [. . .] to present the picture of herchoice of her computer’s operating system, appli-cation software or drivers.”
Datenspuren, Dresden, R. Weis c©2004 – p.41/50
Attestation + Owner Override
Compromise of software can still be madedetectable by a remote party
Computer owners retain substantial controlover local software
Competition, interoperability, user control andchoice are preserved
Datenspuren, Dresden, R. Weis c©2004 – p.42/50
Company Policy
An organization can more effectively enforcepolicies against its own members,
so long as they are using computersowned by the organization
Datenspuren, Dresden, R. Weis c©2004 – p.43/50
TPM and Smart Cards
TPM ≈ Hardwired Smart Card
First realizations: LPC Bus
Datenspuren, Dresden, R. Weis c©2004 – p.44/50
Cryptolabs Smart Card Stuff
File Encryption with KDE GUI
PGP and GPG
FreeS/WAN(with Bastiaan Bakker and Stefan Lucks)
Datenspuren, Dresden, R. Weis c©2004 – p.45/50
Resistance helps
Intel has redrawn the plans for a Processor-IDbecause of the user resistance.
TCG1.2 has fixed some problems.
’We are important customers!’
Fight Digital Restrictions Management!
Datenspuren, Dresden, R. Weis c©2004 – p.46/50
The OS War is over
Windows means slavery.
Apple is a company under US Law.
Life free:GNU/LinuxBSDMinixWrite Your own and put it under GPL!
Datenspuren, Dresden, R. Weis c©2004 – p.47/50
German Government on TCG
Federal Government’s Comments on the TCGand NGSCB in the Field of Trusted Computingwww.bsi.de/trustcomp/stellung/
StellungnahmeTCG1 2a e.pdf
Datenspuren, Dresden, R. Weis c©2004 – p.48/50
EU on TCG
23.01.2004:Datenschutzgruppe der Europäischen UnionArbeitspapier über vertrauenswürdigeRechnerplattformen und insbesondere dieTätigkeit der Trusted Computing Group (TCG)www.europa.eu.int/comm/internal market/
privacy/docs/wpdocs/2004/wp86 en.pdf
Datenspuren, Dresden, R. Weis c©2004 – p.49/50
Acknowledgments
c© cryptolabs Amsterdam 2004 under the GNU Free Document License.
Produced with Free Software under GNU/Linux.
”Licht ins Dunkel”,Spiegel Online 08/03
Big thanks to:
Rop Gonggrijp, Carla van Rijsbergen, Andreas Bogk, Lucky Green, Ross Anderson
Guido v. Noordende, Kees Bot, Philip Homburg, Jan-Mark Wams, Andy Tanenbaum
Datenspuren, Dresden, R. Weis c©2004 – p.50/50